Information security is an important activity that is required to be carried out in the organizations. There are defined set of phases that are present in order to develop and implement the Information Security Plan and policies in the organization which is termed as SecSDLC.
As per SecSDLC, following are the phases that are present and shall be executed so as to meet the necessary requirements.
This is the phase in which the development team shall collaborate with senior management and Chief Information Officer (CIO) of the organization to find out the security needs and requirements that shall be included in the policies and strategies.
This phase shall cover the cost and schedule that will be associated with the same.
Assessment of the risks shall be done in this phase to find out the areas in which the security policies shall be implemented. There may be several risks that may be associated with the organization and the systems that are present under it. These risks will demand specific response strategies that shall be determined in this phase (Alruwaili & Gulliver, 2015).
In this phase, all the members that are associated with the organization shall be distributed with the policy statements and plans that are included under the enhancement of information security of the organization.
The policies and plan are written in this phase and there are numerous sources that are used for the completion of the task. There are many research articles and journals that shall be used in this phase for the creation of a required policy.
The policies shall be upgraded after regular intervals so as to make sure that the necessary changes are implemented in the policy that is designed. It shall be done with the aid of maintenance tools along with execution of reviews and inspections at frequent intervals (Rosenkranz, 2007).
In-charge of SecSDLC is an important role that is assigned to the individual and there are several skills and knowledge that shall be acquired so as to fulfill the role with the required expectations.
The resource must be able to have skills on management and leadership so that the decisions and the phases that are included under SecSDLC can be accomplished successfully. There are a number of Information Security policies that vary from one organization to the other. For instance, the security and regulatory policies that may be followed in a healthcare organization will be different from a financial firm. Details on the regulatory, legal and security policies specific to the organization shall be acquired so that the steps that are taken under SecSDLC are according to the needs and requirements of the organization.
It will also be necessary to be well versed with the basic and advanced security mechanisms that may be implemented in the organization to enhance the security infrastructure. It shall also be ensured that the risk management tools and strategies are well understood so that the implementation of the security steps is done correctly.
There are several laws that are defined in the United States for the protection of the information and for the enhancement of its security. Some of these laws have been explained below.
HIPAA stands for Healthcare Insurance Portability and Accountability Act. It is the United States law that defines the measures and provisions for safeguarding the privacy and security of the data associated with medical information and records. It is a law that was passed in the year 1996 and primarily comprises of five different sections (Cms, 2017).
These sections are defined as titles in the HIPAA legislation in which title 1 defines the measures to protect the health insurance coverage of the individuals. The measures that shall be taken while exchanging and handling the electronic health records are mentioned under title 2. Tax related provisions that apply to medical care are included under title 3. Individuals that seek continued coverage and the details related with health insurance reform are covered in title 4. Tax related provisions for individuals who lose their US citizenship are included under title 5 (Califf, 2003).
Security & Freedom through Encryption Act is also known as SAFE Act. It is the legislation that covers the information encryption and its application in the United States.
This is the law that states that people of US may use any form or type of encryption and may also sell in interstate commerce any of these encrypted products. SAFE Act has been defined in a seventeen pages long bill. It comprises of the details and steps that are associated with the export of any encrypted product. This bill puts all of the encrypted products apart from the ones that are associated with military use and application in the Secretary of Commerce. It also states that a one-time, fifteen day technical review shall be carried out by the Secretary on the encrypted software, hardware and other technical equipment that shall not required any further export license (Horiuchi, 2008).
The bill also states the encryption specifications of the software that are used by banks and other financial corporations.
Sarbanes-Oxley Act is also known as SOX Act and it was passed by the US congress to put a check on the fraudulent practices and measures that may be carried out by the shareholders and public entities in an enterprise. It also includes the steps for enhancement of the accuracy that is associated with the corporate disclosures.
The Act not only restricts with the financial side and perspective of the organization but also includes the IT side. It does not define or provide information on how the data shall be stored but specifies for how long it shall be handled and managed. It also states that all forms of electronic records and messages shall be stored for at least a period of five years (Aicpa, 2012).
There are three rules that have been defined under the SOX Act for the adequate management of electronic records.
Fairleigh Dickinson University (FDU) is a private university that is based out of New Jersey. Information security will be prime focus and matter of concern for FDU.
In the scenario wherein computer infrastructure that is associated with FDU is not kept up to date, there will be many risks and threats that will crop up.
Due to lack of maintenance and upgrades, many of the security risks will be probable and may be given shape by the attackers such as information breaching and data integrity attacks. There may be attacks related with message or media alteration that may be witnessed and there may also be easy breaking of the access control and security vulnerabilities will be exploited. All of these risks and attacks will negatively impact the information properties of the data sets associated with FDU. There will be a lot of data that FDU deals with such as academic information of the students, details of the courses that are offered, attendance details of the students, demographic details of students and staff members, information around upcoming events and a lot more.
Ability of the attacker to gain this information through unauthorized means will lead to breaking of the security, privacy and confidentiality of the information.
The situation at FDU due to the lack of proper computer infrastructure will be different than the banks in terms of the information categories that the two entities deal with. In case of banks, the information that the banks primarily deal with is the financial data and details of the customers and partners that is extremely critical in nature. However, in case of FDU, the academic and demographic information is sensitive but not severely critical. Also, FDU may have the resources available that may immediately fix up the loopholes in the security architecture which may not be the case with the banks. Therefore, FDU will be in a better position as compared to the banks.
In case of libraries, if the similar situation comes up then the information that will be targeted by the attackers will be the research journals, papers, books and demographic details of the customers. However, the sensitivity of the academic profile of the students along with course details associated with FDU will be higher than that of the data related with the library. Therefore, FDU will be in a worse situation as compared to a library if a similar situation occurs.
There are many security risks and attacks that take place in technical companies such as Microsoft as there is a great use of technology and technological components that is seen in these organizations. The ability to deal with the technical risks and the information security attacks due to the lack of computer infrastructure or upgrades related with the same will be higher in case of a technical company as compared to that of the education institution like FDU. Therefore, FDU will be in a worse state if there is a similar situation that comes up in FDU and in a technical company such as Microsoft.
References
Aicpa. (2012). The Sarbanes-Oxley Act of 2002. Retrieved 12 June 2017, from https://www.aicpa.org/Advocacy/State/Documents/SOX%20fact%20sheet_012012.pdf
Alruwaili, F., & Gulliver, T. (2015). SecSDLC: A Practical Life Cycle Approach for Cloud-based Information Security. Ijrcct.org. Retrieved 12 June 2017, from https://www.ijrcct.org/index.php/ojs/article/view/1038
Califf, R. (2003). Health Insurance Portability and Accountability Act (HIPAA): Must There Be a Trade-Off Between Privacy and Quality of Health Care, or Can We Advance Both?. Retrieved 12 June 2017, from https://circ.ahajournals.org/content/108/8/915
Cms. (2017). HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules. Retrieved 12 June 2017, from https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
Horiuchi, C. (2008). Case Study of H.R. 695: The Security and Freedom Through Encryption (SAFE) Act. Retrieved 12 June 2017, from https://csrc.nist.gov/nissc/1998/proceedings/paperG5.pdf
Rosenkranz, S. (2007). “Role of Quantitative Analysis in SecSDLC” by Stephen R. Rosenkranz, Michael E. Busing et al.. Scholarworks.lib.csusb.edu. Retrieved 12 June 2017, from https://scholarworks.lib.csusb.edu/jitim/vol16/iss2/2/
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download